how to -Ethernet- Mac address whitelist asus built in firmware

neednetworking

Occasional Visitor
I have an rt-ac 3100. I need a deterrent to non-authorized devices using both wifi and ethernet. I know there is a wifi mac filter whitelist which would be perfect, except it only applies to wifi. I need something that also applies to ethernet. Basically, I'd like to be able to go in and say allow this mac address and it would allow the device to connect to the network/internet. all unknown mac addresses would not be allowed. Any ideas?

I have one, but would like a better one.
----------
here is my current best idea:
set dhcp range to = the exact same # of trusted mac addresses
assign static ip to each trusted mac ip in dhcp
make sure there are no extra un-assigned ip's in the range.

If a new client tries to join that doesn't already have a dhcp reservation it will not be able to join since the dhcp range is fully assigned.

limitations:
max 64 reservations (which is actually too small.. wish is was about 100)
I know someone could manually assign an ip, I am not too concerned, this is a deterrent not fort knox.
i haven't yet tested the above, i don't know if it would work.
----------

Does someone have a better or implementation idea for me??
 

Sky

Regular Contributor
I have an rt-ac 3100. I need a deterrent to non-authorized devices using both wifi and ethernet. I know there is a wifi mac filter whitelist which would be perfect, except it only applies to wifi. I need something that also applies to ethernet.
Curious… why ethernet? Are you trying to allow some ethernet-attached devices to access the router/internet but prevent others? Is the router providing DHCP or do you have another device on your LAN handling that? Or are you trying to allow-disallow incoming traffic?

AiProtection > Parental controls might give you some or all of what you need. It really depends on what you're trying to do.

If what you are concerned about is an outsider piggy-backing on your WiFi you could whitelist all of your known-good clients, then all others would be automatically rejected.

If you are concerned about unauthorized access to your physical hardwired network and plug-ins, that's a facilities issues, like "get better locks and better doors".
 

neednetworking

Occasional Visitor
Curious… why ethernet? Are you trying to allow some ethernet-attached devices to access the router/internet but prevent others? Is the router providing DHCP or do you have another device on your LAN handling that? Or are you trying to allow-disallow incoming traffic?

AiProtection > Parental controls might give you some or all of what you need. It really depends on what you're trying to do.

If what you are concerned about is an outsider piggy-backing on your WiFi you could whitelist all of your known-good clients, then all others would be automatically rejected.

If you are concerned about unauthorized access to your physical hardwired network and plug-ins, that's a facilities issues, like "get better locks and better doors".
yes ethernet and wifi blocking is desired so the device whether wired or wireless can't do anything at all (on lan or wan)
yes router is providing dhcp
part of the issue is we have a wireless access point that is ethernet-ed (if i can i use that word) to the asus. So all wifi clients on that wap appear to be ethernet clients. So need a low security way to inconvenience/block those as well. the wap doesn't have mac address filtering built in.

a mac address filter whitelist would be perfect ... but it would need to work for both ethernet and wifi clients.
 

ColinTaylor

Part of the Furniture
It is not possible to do what you want with your current devices. The AP is effectively behaving like a switch which is connected to a single LAN port on your router. The router has no ability to filter access to the LAN by MAC address on a single port. The only solution I can think of is for you to insert another switch in between the AP and the router that supports MAC based ACL's.
 

Sky

Regular Contributor
yes ethernet and wifi blocking is desired so the device whether wired or wireless can't do anything at all (on lan or wan)
yes router is providing dhcp
part of the issue is we have a wireless access point that is ethernet-ed (if i can i use that word) to the asus. So all wifi clients on that wap appear to be ethernet clients. So need a low security way to inconvenience/block those as well. the wap doesn't have mac address filtering built in.
It sounds like your entire network is behind a single port to the router, as are many. Mine is hybridized, some goes through a single port but some go through WiFi.
  • If the WAP is the unit providing DHCP you might try whitelisting there; or
  • If the final router is the unit providing DHCP you might try whitelisting there.
This will work for LAN/WAN on devices accessing the ASUS via WiFi.
This will
only work for WAN on devices accessing the ASUS via Ethernet.

To try the idea I was putting forward go to: AiProtection > Parental controls > Time Scheduling. There you can select Disable/Time/Block by MAC address. Assuming the ASUS is the router handling DHCP that should work—but only for WAN access if the target device is (a) hardwired to the LAN, of (b) coming to the router via hardwire from a remote WAP.

A WiFi device going to the LAN/WAN via WiFi to the DHCP server can be utterly isolated using this method, no LAN / no WAN. I personally use this to cut some WiFi devices from any form of access to the LAN/WAN via the router, but the router is the WAP.

For the devices that come to the router via the single port through a dumb switch, they are denied WAN access but still have LAN access. Using this you can use [Block] to deny any hardwired device on your LAN access to the Internet (WAN). but not the LAN.

Can the WAP host a Guest Network? If so, does the WAP have any denial capabilities? If so you could deny your WiFi devices at the WAP.

If want to deny a device access to the WAN and LAN, why not just air gap it in the first place? I'm sure you have very good reasons for doing what you're doing, but at first blush it appears needlessly complicated. It's kind of like, why is there a separate WAP? Is it for range?

Sky
 

neednetworking

Occasional Visitor
It sounds like your entire network is behind a single port to the router, as are many. Mine is hybridized, some goes through a single port but some go through WiFi.
  • If the WAP is the unit providing DHCP you might try whitelisting there; or
  • If the final router is the unit providing DHCP you might try whitelisting there.
This will work for LAN/WAN on devices accessing the ASUS via WiFi.
This will
only work for WAN on devices accessing the ASUS via Ethernet.

To try the idea I was putting forward go to: AiProtection > Parental controls > Time Scheduling. There you can select Disable/Time/Block by MAC address. Assuming the ASUS is the router handling DHCP that should work—but only for WAN access if the target device is (a) hardwired to the LAN, of (b) coming to the router via hardwire from a remote WAP.

A WiFi device going to the LAN/WAN via WiFi to the DHCP server can be utterly isolated using this method, no LAN / no WAN. I personally use this to cut some WiFi devices from any form of access to the LAN/WAN via the router, but the router is the WAP.

For the devices that come to the router via the single port through a dumb switch, they are denied WAN access but still have LAN access. Using this you can use [Block] to deny any hardwired device on your LAN access to the Internet (WAN). but not the LAN.

Can the WAP host a Guest Network? If so, does the WAP have any denial capabilities? If so you could deny your WiFi devices at the WAP.

If want to deny a device access to the WAN and LAN, why not just air gap it in the first place? I'm sure you have very good reasons for doing what you're doing, but at first blush it appears needlessly complicated. It's kind of like, why is there a separate WAP? Is it for range?

Sky
Thanks much, Sky, for taking time to reply.

I will look into the aiprotection as a means of blocking. However, I seem to remember one unfortunate limitation of aiprotection is that it rely's on a blacklist only. Not a whitelist. In other words, I need to know the exact mac address of the device in order to block it. I was hoping for a solution whereby could say these x number of devices are whitelisted, and any UNKNOWN devices are blocked.

The dhcp is handled on the asus.
The wap unfortunately doesn't have any mac filtering.. its for range extending. Also in this scenario not possible to switch out for a different model.

you mentioned wan only blocking if ethernet/wifi traffic is coming in on a single port to the asus. That is the case. And wan only blocking would probably be good enough. LAN blocking is not much of a concern. This is all just to be a deterrent, so if no wan is available that would be enough to probably cause people to not use it.
 

Sky

Regular Contributor
Thanks much, Sky, for taking time to reply.

I seem to remember one unfortunate limitation of aiprotection is that it rely's on a blacklist only. Not a whitelist.
Correct, whitelisting is limited to Wireless > Wireless MAC Filter. You could consider setting up a (another?) Guest Network as an alternative. A realistic assessment of what you actually need to accomplish v want to accomplish may be in order, as-in:
  • What am I protecting
  • Why am I protecting it
  • What sorts of threats are realistically likely
If you're running a how-to-hack school you may not be protecting much, but the threat level could be extreme if talent presents. If you're trying to keep the kids off the internet… different story. If you're trying to keep from being a pwnd for a bot net, keeping the FW updated should do that for all practical and realistic scenarios.

In the end, security is like speed. The old hot rodders Q&A applies:
"How fast can I go?"​
"How much money do you have?"​

or…
"How secure can I be?"​
"How much money do you have?"​
 

neednetworking

Occasional Visitor
I had an idea I wanted to run by you.

What if set the dhcp range to be only say 10 addresses, and I create 10 dhcp reservations/assignments. This would be the dhcp server on the asus would not have any free addresses to hand out to connecting clients. Wouldn't that in affect be like a whitelist? Since the range is only those that have a reservation based on a mac address I typed in, there is no dhcp addresses free for unknown mac addresses..
 

ColinTaylor

Part of the Furniture
I had an idea I wanted to run by you.

What if set the dhcp range to be only say 10 addresses, and I create 10 dhcp reservations/assignments. This would be the dhcp server on the asus would not have any free addresses to hand out to connecting clients. Wouldn't that in affect be like a whitelist? Since the range is only those that have a reservation based on a mac address I typed in, there is no dhcp addresses free for unknown mac addresses..
Isn't this exactly the same thing you proposed in post #1?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top